IIRC, the use of the CAS as a NAT gateway is only permitted for testing use as it has limited number of connections.
Typically, if you're doing a L3 / OOB / real IP solution, you utilize policy-based routing to send the traffic through the CAS, and you would have to perform NAT on a device that is further upstream (towards the Internet). From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Allen, Richard D CW2 NG NG NGB Sent: Tuesday, August 23, 2011 12:39 PM To: [email protected] Subject: Configuration question (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Here is one for all you smart NAC admins - I am working on setting up layer 3 OOB real IP gateway and have everything working except one part. My network uses public IP addresses (military) and thus no NAT'ing is configured on the network. My un-auth VLAN is set as a 192.168.x.x network and thus has no way to access the internet for remediation. My question is - should internet traffic be flowing through the CAS and be using the trusted IP address of the CAS or is it simply passed on with the IP address of the un-auth network? And if so, what is the easiest way to allow unauthorized network traffic limited access to the internet? Richard Allen CW2, SC, TNARNG J6 JFHQ 3041 Sidco Drive Nashville, TN 37204 Comm: 615-313-7522 DSN 683-7522 Classification: UNCLASSIFIED Caveats: NONE
